#!/bin/sh

username="$1"
userpwd="$2"
login_user="$3"

echo "清理CA环境"
cd /home/${username}
rm -rf demoCA openssl.cnf cacert.pem server.* client.*

echo "搭建CA环境"
cp /etc/pki/tls/openssl.cnf ./
mkdir -p ./demoCA ./demoCA/newcerts ./demoCA/private
chmod 700 ./demoCA/private
echo '01'>./demoCA/serial
touch ./demoCA/index.txt

new_v="dir  = ./demoCA"
sed -i "/^dir/c$new_v" openssl.cnf

new_v="default_md      = sha256"
sed -i "/^default_md/c$new_v" openssl.cnf

echo "生成CA私钥"
echo "RSA证书"
expect <<-EOF
	set timeout 300
	spawn openssl genrsa -aes256 -out demoCA/private/cakey.pem 2048
	expect "*pass phrase*" { send "$userpwd\n" }
	expect "*pass phrase*" { send "$userpwd\n"}
	expect eof
EOF

echo "生成CA根证书申请文件careq.pem"
expect <<-EOF
	set timeout 300
	spawn openssl req -config openssl.cnf -new -key demoCA/private/cakey.pem -out demoCA/careq.pem
	expect "*pass phrase*" { send "$userpwd\n" }
	expect "*Country Name*" { send "CN\n" }
	expect "*Province Name*" { send "shanxi\n"}
	expect "*Locality Name*" { send "xian\n"}
	expect "*Organization Name*" { send "Abc\n"}
	expect "*Organizational Unit Name*" { send "hello\n"}
	expect "*Common Name*" { send "${login_user}\n"}
	expect "*Email Address*" { send "\n"}
	expect "*A challenge password*" { send "\n"}
	expect "*company name*" { send "\n"}
	expect eof
EOF

echo "生成CA自签发根证书"
new_v="basicConstraints=CA:TRUE"
sed -i "/^basicConstraints/c$new_v" openssl.cnf
expect <<-EOF
	set timeout 300
	spawn openssl ca -config openssl.cnf -out demoCA/cacert.pem -keyfile demoCA/private/cakey.pem -selfsign -infiles demoCA/careq.pem
	expect "*pass phrase*" { send "$userpwd\n" }
	expect "*y/n*" { send "y\n"}
	expect "*y/n*" { send "y\n"}
	expect eof
EOF

echo "生成服务端证书私钥"
echo "RSA证书私钥"
expect <<-EOF
	set timeout 300
	spawn openssl genrsa -aes256 -out server.key 2048
	expect "*pass phrase*" { send "$userpwd\n" }
	expect "*pass phrase*" { send "$userpwd\n" }
	expect eof
EOF

echo "根据提示输入服务端私钥的密码，加密后会生成server.key.cipher,server.key.rand两个私钥密码保护文件"
expect <<-EOF
	set timeout 300
	spawn gs_guc encrypt -M server -D ./
	expect "*assword*" { send "$userpwd\n" }
	expect eof
EOF

echo "生成服务器证书请求文件server.req"
expect <<-EOF
	set timeout 300
	spawn openssl req -config openssl.cnf -new -key server.key -out server.req
	expect "*pass phrase*" { send "$userpwd\n" }
	expect "*Country Name*" { send "CN\n" }
	expect "*Province Name*" { send "shanxi\n"}
	expect "*Locality Name*" { send "xian\n"}
	expect "*Organization Name*" { send "Abc\n"}
	expect "*Organizational Unit Name*" { send "hello\n"}
	expect "*Common Name*" { send "${login_user}\n"}
	expect "*Email Address*" { send "\n"}
	expect "*A challenge password*" { send "\n"}
	expect "*company name*" { send "\n"}
	expect eof
EOF

echo "生成服务端证书"
new_v="basicConstraints=CA:FALSE"
sed -i "/^basicConstraints/c$new_v" openssl.cnf
new_v="unique_subject = no"
sed -i "/^unique_subject/c$new_v" demoCA/index.txt.attr
expect <<-EOF
	set timeout 300
	spawn openssl ca  -config openssl.cnf -in server.req -out server.crt -days 3650 -md sha256
	expect "*pass phrase*" { send "$userpwd\n" }
	expect "*y/n*" { send "y\n"}
	expect "*y/n*" { send "y\n"}
	expect eof
EOF

echo "生成客户端证书私钥"
echo "RSA证书私钥"
expect <<-EOF
	set timeout 300
	spawn openssl genrsa -aes256 -out client.key 2048
	expect "*pass phrase*" { send "$userpwd\n" }
	expect "*pass phrase*" { send "$userpwd\n" }
	expect eof
EOF

echo "根据提示输入客户端私钥的密码，加密后会生成client.key.cipher,client.key.rand两个私钥密码保护文件"
expect <<-EOF
	set timeout 300
	spawn gs_guc encrypt -M client -D ./
	expect "*assword*" { send "$userpwd\n" }
	expect eof
EOF

echo "生成客户端证书请求文件"
expect <<-EOF
	set timeout 300
	spawn openssl req -config openssl.cnf -new -key client.key -out client.req 
	expect "*pass phrase*" { send "$userpwd\n" }
	expect "*Country Name*" { send "CN\n" }
	expect "*Province Name*" { send "shanxi\n"}
	expect "*Locality Name*" { send "xian\n"}
	expect "*Organization Name*" { send "Abc\n"}
	expect "*Organizational Unit Name*" { send "hello\n"}
	expect "*Common Name*" { send "${login_user}\n"}
	expect "*Email Address*" { send "\n"}
	expect "*A challenge password*" { send "\n"}
	expect "*company name*" { send "\n"}
	expect eof
EOF

echo "对生成的客户端证书请求文件进行签发，签发后将生成正式的客户端证书client.crt"
expect <<-EOF
	set timeout 300
	spawn openssl ca -config openssl.cnf -in client.req -out client.crt -days 3650 -md sha256
	expect "*pass phrase*" { send "$userpwd\n" }
	expect "*y/n*" { send "y\n"}
	expect "*y/n*" { send "y\n"}
	expect eof
EOF

cp demoCA/cacert.pem .
zip db-cert-replacement.zip server.crt server.key server.key.cipher server.key.rand client.crt client.key client.key.cipher client.key.rand cacert.pem













